Table of contents

Client Certificate Authentication is an advanced security mechanism allowing connecting Clients to prove their identity to a Server by providing a Certificate. This can be accomplished by configuring IIS to require an established Certificate from the connecting devices.

Step-by-Step Reference for Configuring IIS for client certificates

This steps are technical and quite involved, and need to be followed closely to ensure something is not missed.

Configuring KeePass for Pleasant Client

Here is a technical summary of how the functionality works:

The Client will establish a TLS/SSL session with IIS, and send a request. IIS sends a new TLS/SSL request to re-negotiate based on the client certificate authentication, and asks for a certificate. Once provided by the client, the second TLS/SSL negotiation completes successfully.

To set the option, open this KeePass config file:

%appdata%\KeePass\PasswordServerClientConfiguration.xml

Look for the Thumbprint on your client certificate. Add a line called ClientCertThumbprint so that the file includes lines that look similar to this: